Closed nholik closed 5 months ago
I have submitted a PR with tests for this here: https://github.com/okta/okta-auth-js/pull/1481
@nholik Thanks for reporting the issue and PR! We will have the PR reviewed and release the change once it's merged.
Internal Ref: OKTA-678622
Released in 7.5.1
https://github.com/okta/okta-auth-js/releases/tag/okta-auth-js-7.5.1
Describe the bug
Per the openid spec:
The library assumes the common special case only of one audience. It should allow there to be an array of audience claims as well and check that at least one matches.
Reproduction Steps?
Use the SDK with an issuer that sends back an array of audience claims in an id token. Validation will fail, even if there is a valid audience in the aud claim.
SDK Versions
7.5.0
Additional Information?
No response